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Abstract. In this paper, we integrate separation logic with Proposi¬ 
tional Projection Temporal Logic (PPTL) to obtain a two-dimensional 
logic, namely LPTL®"". The spatial dimension is realized by a decidable 
fragment of separation logic which can be used to describe linked lists, 
and the temporal dimension is expressed by PPTL. We show that PPTL 
and PPTL®'" are closely related in their syntax structures. That is, for 
any PPTL®'" formula in a restricted form, there exists an “isomorphic” 
PPTL formula. The “isomorphic” PPTL formulas can be obtained by 
first an equisatisfiable translation and then an isomorphic mapping. As 
a result, existing theory of PPTL, such as decision procedure for satisfi¬ 
ability and model checking algorithm, can be reused for PPTL®'". 
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1 Introduction 

The heap is an area of memory for dynamic memory allocation and pointers 
are references to heap cells. It is hard to detect errors of heap-manipulating 
programs with inappropriate management of heap. Verification of such programs 
is an active research field today and has had a long history ever since the early 
1970s [1]. However, it is still a big challenge because of aliasing [2]. Programs 
become more error-prone with serious problems, e.g. the existence of memory 
violation, the emergence of memory leaks, etc.. In addition, reasoning about 
temporal properties about the heap of these programs is even more difficult 
than just memory safety properties. 

Reynolds [3] and O’Hearn [4] proposed a Hoare-style logic which is known as 
separation logic. More recently, separation logic is increasingly being used and 
extended for automated assertion checking and shape analysis [B]. Although 
separation logic is very popular due to its reasoning power in heap-manipulating 
programs, we emphasize that it is a variant of Hoare-like proof systems. That is 
to say, it is a static logic which infers assertions at each program point. What 
we mean by “static” is that separation logic is short in the power for expressing 
heap evolution properties which can be seen “dynamic” heap evolutions by time. 
For instance, separation logic formula (/>#(/>^ specifies properties, at one state, 
holding respectively for disjoint portions of the heap, one makes (j) true and the 
other makes (j)' true. But temporal property like the heap can be divided into two 
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disjoint sub-heaps ((^#(^') always (or eventually) holds during program execution 
cannot be expressed by separation logic. 

Temporal logic is another highly successful formalism which has already been 
well-developed in automatic program verification. There are various versions of 
temporal logic such as Computation Tree Logic (CTL) [7] and Linear Temporal 
Logic (LTL) [S]. While LTL is interpreted over an infinite sequence of states and 
CTL over a tree structure, the base logic utilized in this paper, Propositional 
Projection Temporal Logic (PPTL) jS], is an interval based temporal logic, which 
is interpreted over finite or infinite intervals. It is more powerful than both LTL 
and CTL with respect to expressiveness [10]. However, temporal logics do not 
have the ability to reason about heaps. Both the models and logics need to be 
augmented with heap ingredients if we want to deal with heaps. 

It is useful to integrate the two types (spatial and temporal) of logics such 
that heap evolution properties can be specified and verified in a unified manner. 
There are various temporal logics previously designed for heap verification in the 
literature. Evolution Temporal Logic (ETL) [T3] is a first-order LTL for the de¬ 
scription of program behaviors that causes dynamic allocation and deallocation 
of heap. ETL mainly focuses on describing large granularity heap objects and 
high-level threads. Based on a tableau model checking algorithm, Navigation 
Temporal Logic (NTL) [T3] extends LTL with pointer assertions for reasoning 
about the evolution of heap cells. Rieger established an expressive Temporal 
Pointer Logic (TPL) [15] which expresses properties of computation paths and 
pointer comparisons evaluated on single heap states separately. An approach 
based on abstraction technique for TPL has to be built as the logic is in general 
undecidable. In m, LTL and CTL are combined, in time and space, to spec¬ 
ify complex properties of programs with dynamic heap structures. Though it is 
a two-dimensional logic, both dimensions are realized by temporal logics that 
makes the difference between two dimensions less obvious. The work m pro¬ 
posed by Brochenina et al. devises a logic by means of a quantifier-free fragment 
of separation logic as the underlying assertion language on top of which is Propo¬ 
sitional LTL (PLTL). Formulas in this logic include pointer arithmetic that is 
well studied and expressions are enriched with Q operator denoting the next 
value of them. Various classes of models and fragments of separation logic are 
explored in depth. Yet some common properties like memory safety and shape 
properties are unable to be characterized as quantifiers are not contained in any 
fragment, and no tool or experimental results for the logic are available yet. 

In this paper, we propose a two-dimensional (spatial and temporal) logic 
named PPTL®^ for specifying heap evolution properties of programs by integrat¬ 
ing separation logic with PPTL. On one hand, our logic inherits the advantages 
of separation logic in describing heaps in a much simpler and more intuitionistic 
way. Meanwhile, the fragment of separation logic utilized here can describe com¬ 
plex heap structures. On the other hand, PPTL is more powerful than PLTL 
since PPTL describes full regular language m- In contrast, PLTL describes star 
free regular language mm- Moreover, the spatial-temporal logic introduced in 
this paper contains temporal connectives ” for sequentially combining formulas 
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which enable us easily to express the occurrence of sequential events, and or 
enables us to state loop properties. For instance, the formula Pi]P 2 asserts 
that Pi holds from now until some point in the future, and from that point on, 
P 2 holds. P* or means that P repeatedly holds for a finite or infinite number 
of times. 

The main contribution of this paper includes: (a) We propose an expressive 
temporal logic composed of a temporal dimension (evolution of programs) and 
a spatial dimension (heap structures); (b) An isomorphic relationship is estab¬ 
lished between PPTL®'" and PPTL in order to solve the satishability problem of 
PPTL®^ and further to obtain the corresponding decision procedure. Our previ¬ 
ous work m also presents a logic that integrates separation logic with PPTL. 
However, a different fragment of separation logic without quantifiers is employed 
in that work. Therefore, the logic is limited in expressing some useful proper¬ 
ties, e.g., memory safety properties. We only prove a normal form of the logic 
whose satisfiability problem remains unsolved in that paper. We believe that 
the direct normal form approach is not enough to guarantee the decidability of 
the logic. Therefore, we use an alternative approach which builds an isomorphic 
relationship in order to solve the satisfiability problem. 

The remainder of this paper is organized as follows. In the following section, 
the syntax and semantics of the two-dimensional logic PPTL®'" is presented. In 
Section an isomorphic relationship between PPTL and PPTL®"" formulas is 
obtained. As a result, how the decision procedure for checking satisfiability of 
PPTL to be reused on PPTL®'" is illustrated Section IH Conclusions are drawn 
in Section [Sl 

2 The Two-Dimensional Logic PPTL®'" 

The satisfiability problem for full separation logic is known to be undecidable 
m- In this section, we first introduce a decidable fragment of separation logic 
(SL for short) which is able to describe linked list structures. Then we make a 
temporal extension to SL by adding specific temporal operations in PPTL. 

2.1 A Fragment of Separation Logic for Linked Lists 

The fragment of separation logic presented here is a variation of the one in 
PP] . We assume a countable inhnite set Var of variables with a fixed ordering, 
ranged over by x, y, z,.... Let Loc be a finite set of valid locations composed of 
the natural numbers greater than zero. Val = LocU { 0 } denotes the set of values 
which are either locations or 0. The constant 0 represents the null location. We 
refer to a pair (L, J?t) as a memory state s, where L : Var ^ Val represents a 
stack and : Loc ^ Val a, heap. 


Syntax Formulas of SL are defined by the grammar below, n is a natural 
number: 
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Terms e ::= n | x 

SL Formulas (j> ::= ei = 62 | ei i—>■ 62 | ^(j) I </>i V 02 I 0i#02 | 3 a: : 0 

We will make use of standard notations as usual for other derived connectives. 
We write dom{f) to denote the domain of mapping /. Given two mappings fi 
and 02, /i -L 02 means 0 i and 02 with disjoint domains. Moreover, we use fi • 02 
to denote the union of fi and 02 which is undefined when fi yf 02. Formula 
ei I—>■ 62 denotes that ei points to 62, where ei represents an address in the heap 
and 62 the value held in that address. 

Semantics For every term e, the evaluation of e relative to a state {Is,Ih) is 
defined as {Is,Ih)[e]- 

{Is,Ih)[n]=n {Is,Ih)[x] = Ia{x) 

The semantics of SL formulas is given below by a relation equipped with a 
subscript SL. 

— ^2 iff — (.fs 5 .f/i) [^2] • 

Is,Ih hsi ei 62 iff dom{Ih) = { {Is,Ih)[ei] } and Ih)[ei]) = {Is,Ih)[e 2 ]- 

Isjlh Hsi ~'0 Isjlh 0- 

Isjlh Hsi 01 ^02 iff Is^Ih Hsi 01 01 Isilh Hsi 02- 
Is,Ih \=SL 01 #02 iff there exist Ihi,h2 ■ -L Ih2 and Ih = hi ■ Ih2 and 

hi hi |=si, 01 and Is,Ih2 Hsi 02' 

Is,Ih Hsi 3 a; : 0 iff there exists v GVal such that Is[x —>■ v],h |=si, 0- 
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n+1 times 


ei 



def 


ls{ei,e2) 


^((3y : 2 / e)# • • • #{3y : y e)#true) 

alloc{ei) A (e 2 ei —)■ -^alloc{e 2 ) A jjei = 0)A 
(Vcc : a: 62 —>■ (jja: = 1 —>■ alloc{x)))f\ 

(Vx : a: 7 ^ 0 —>■ tta; < 1) 

O A / O \ 

61 —^ 62 A ^(61 —62#-'6mp) 


Formula 61 62 has a weaker meaning than 61 e->• 62 since the domain of the 

heap of the former may contains other allocated heap cells in addition to ei. 
alloc(e) indicates that the cell e is allocated in the current heap, emp is true just 
for the empty heap whose domain is 0. jle > n holds in case that e has at least 
n predecessors, jjc = n and ’^e < n can be obtained by obvious combinations of 

O 

comparison predicates. A state {Is,Ih) satisfies ei —62 indicating that It 
can be decomposed as a list segment between ci and 62 and a finite collection of 
cyclic lists. In addition, ls(ei, 62) describes a list segment starting at the location 
denoted by 61 whose last link contains the value of 62, in particular, ls(e, 0 ) is a 
complete linked list and ls{e,e) is a cyclic linked list. 


2.2 Temporal Extension to Separation Logic 

In order to express temporal properties of heap systems, we integrate SL with 
PPTL. The two-dimensional logic is named as PPTL®^. Let Prop be a countable 
set of atomic propositions. Formulas Q of PPTL and P of PPTL®'" are given by 
the following grammar, respectively, 

PPTL Formulas Q ::= g | | Qi V Q2 | OQ \ (Qi, ■■ ■, Qm)prj Q \ Q* 

PPTL®'" Formulas P ::= (p \ ^P \ PiW P2 \ QP \ {Pi,..., Pm) prj P \ P* 

where q € Prop, (j) denotes SL formulas and Pi,, Pm are all well-formed 
PPTL®'" formulas {Qi,..., Qm are all well-formed PPTL formulas). Q (next), 
prj (projection) and * (star) are basic temporal operators. A formula is called 
a state formula if it does not contain any temporal operators, otherwise it is a 
temporal formula. 

An interval a = {sq, Si,...) is a sequence of states, possibly finite or infinite, 
e denotes an empty interval. The length of cr, denoted by \a\, is w if cr is infinite, 
otherwise it is the number of states minus one. To have a uniform notation for 
both finite and infinite intervals, we will use extended integers as indices. That 
is, we consider the set A^o of non-negative integers and w, define = A^o U { w }, 
and extend the comparison operators, =, <, <, to by considering w = w, 
and for all i € A^o, i < oj. Moreover, we define ^ as < —{ (w,w) }. With such 
a notation, cr(i j )(0 < i ^ j < |cr|) denotes the sub-interval {si,...,Sj) and 
|(t|) denotes the suffix interval {sk,..., S|o-|) of a. The concatenation 
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of a with another interval (or empty string) a' is denoted by a • o'. Further, 
let cr = (sfc,..., S|ct|) be an interval and ri,...,rh be integers {h > 1) such 
that 0 < ri < r2 < • • • < r/j ^ \a\. The projection of cr onto ri,...,rh is 
the interval (called projected interval), a j, (ri,...,r/j) = (sj^,..., St,), where 
ti,... ,ti is obtained from ri,... ,rh by deleting all duplicates. That is, ti,... ,ti 
is the longest strictly increasing subsequence of ri,..., r/j. For example, 

(sq, Si, S2, S3, S4) j. ( 0 , 0 , 2 , 2 , 2 , 3 ) (so, S2, S3) 

An interpretation for a PPTL®'" formula is a triple I = {a,k,j) where a = 
(so, si,...) is an interval, k a non-negative integer and j an integer or to such 
that Q < k < j < |cr|. We write {a,k,j) \= P to mean that a formula P is 
interpreted over a sub-interval (^(k..j) of cr with the current state being s^. The 
notation Sk = (I^,/^) indexed by k represents the fc-th state of an interval cr. 
The satisfaction relation for PPTL®'" formulas |= is defined as follows. 


iff 1^,1^ hsL 


\= -nP P. 

I^PiVPa iff P|=Pi orP^Pa. 

1= O-P iff k < j and (cr, k -|- l,j) |= P. 

1= (Pi,..., Pm)prj P iff there exists integers k = ro < ri < ■ ■ ■ < Vm :< j such that 

(cr, ro, ri) \= Pi, (cr, ri-i,ri) \= P;(for 1 < / < m), and (a', 0, |cr'|) \= P for one of the cr' 

(a) < j and cr' = cr | (ro,..., Vm) ■ (^(rrr,+i..j) 

(b) rm = j and cr' = cr j, (ro,..., r^) for some 0 < h < m. 

X 1= P* iff there are finitely many ro,..., r„ £ such that 

fc = ro < ri < • • • < r„_i ^ r„ = j(n > 0) and (cr, ro, ri) |= P and for all 1 < 1 < n 
(cr,rj-i,n) \= P; or there are infinitely many integers fc = ro < ri < ra < • • • 

such that lim r; = cj and (a, ro, ri) |= P and for all I > 1 (cr, rj-i, n) \= P. 


A formula P is satished over an interval cr, written ct ^ P, if (cr, 0 , |cr|) \= P 
holds. When cr ^ P holds for some interval a, we say that formula P is satisfiable. 
A formula P is valid, denoted by ^ P, if cr |= P holds for all cr. Also we have 
the following derived formulas: 

e ^ O true Pi; P2 (Pi ,P2)prj s P+ P; P* 

OP =*' true- P UP ^0-P O'^P 0 ( 0 ””^P’), n > 1 

Note that we use a hnite set of natural numbers to denote locations. The main 
reason for this is that we want to preserve the decidability of PPTL®^ while at 
the same time expressing more recursive heap properties. SL allows existential 
quantifiers, hence we can dehne properties about linked list using them. However, 
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PPTL®^ will be undecidable if the set of locations is infinite. Another way is to 
drop existential quantihers in SL and keep the locations infinite. We will probably 
obtain a decidable logic but it is unable to describe complex heap properties. 


2.3 Specifying Heap Evolution Properties with PPTL®^ 

Consider the following C-like program, that first creates a linked list of some 
certain length (left part), then reverses its reference direction (right part). NULL 
is a macro for zero. 


struct Node { 

struct Node *next; 

}; 

function cre_rev() { 

Node *x, *y, *t; int cnt := 0; 
X := NULL; 
while(cnt < 100) { 
t := new(Node); 
t->next := x; 

X : = t; 

cnt := cnt+1; 

} { ® } 


y := NULL; 

while(x != NULL) { (D } { 
t := x->next; 
x->next := y; 
y := x; 

X : = t; 

} { © } 

} 


Some of the important state assertions specified by SL are labeled with 0 , @ 
and 0, respectively: 

Q){x = 0 A emp) V ls{x, 0 ) @{y = 0 A emp) V ls{y, 0 ) @(©#@) 


Properties of interest for this program include the temporal relations among 
these state assertions, for instance: 

( 1 ) Two events happen sequentially: the first one is to create a list whose 
head pointer is x resulting in 0, and the second is to reverse the list such that 
the head pointer of the resulting list will be y leading to More precisely, 
this property integrates heap shape property with interval property. Heap shape 
property can be expressed by 0 and @, and interval property by chop connective 

PPTL®^ formula <O 0 ;<O@ can expresses this property. It means sometimes 
in the heap, there only exists a complete linked list whose head pointer is a;, and 
later the list becomes reversed with y being the head. 

( 2 ) After the list is created, x and y will point to distinct lists (represented by 
0 ) that repeatedly holds for several times. This property integrates heap non¬ 
interference property with loop property which can be described by the formula 
O((O"‘(0))*). The formal property is treated by and the latter by star 
connective Note that the formula in this example has an assumption that 
each statement executes in a unit interval. Eventually 0 holds for several times 
during the execution of the list reversal sub-program. 

We can see that ( 1 ) and ( 2 ) are typical heap evolution properties that can 
be expressed neither by separation logic nor by temporal logics 
However, we can easily and clearly express them with PPTL®'". 


IB IB IB IB IB 
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3 Isomorphic Relationship Between PPTL and PPTL®'' 

PPTL and PPTL®^ are closely related in their syntax structures since the only 
difference is the state assertions. In this section, an isomorphic relationship be¬ 
tween PPTL and PPTL®^ is presented. To do so, as depicted in Figj^ first, we 
reduce a PPTL®'" formula to an equisatisfiable PPTL®'" formula in a restricted 
form which is a strict subset of LPTL®"" (referred to as restricted PPTL^^). 
Second, an isomorphic relationship is built between PPTL formulas and the 
restricted PPTL®'" formulas according to their syntax structures. To take an 
example of formula isomorphism, PPTL formula Q = p;q is isomorphic to re¬ 
stricted PPTL®'" formula P = x = 0 ;y = 0 since their syntax structures are the 
same except the atomic formulas. Q will be changed into P if p is replaced with 
a; = 0 and q with q = 0 , and vice versa. 



Fig. 1. The relationship between PPTL®'" and PPTL 


3.1 Equisatisfiable Translation 

Two formulas are equisatisfiable if the first formula is satisfiable whenever the 
second is and vice versa. In other words, either both formulas are satisfiable or 
both are not. Two equisatisfiable formulas may have different models, provided 
they both have some or both have none. To start with, an equisatisfiable encoding 
for PPTL®® is proposed. 

Calcagno et al. [ 21 ] have already encoded the fragment of propositional sep¬ 
aration logic into first-order logic. With the method in | 5 T], we first encode the 
fragment of first-order separation logic (SL) into quantifier-free first-order logic 
so as to make the encoding closer to PPTL state formulas. The bounding prop¬ 
erty for satisfiability of state formulas is given which will be used to preserve the 
correctness of our translation. Bounded stacks and bounded heaps are defined 
as follows. 

Definition 1 A bounded stack written as A [AT] denotes the set of stacks such 
that Is G A [AT] iff dom{Is) = AT, where X C Var. A bounded heap written 
as Ih[n] denotes the set of heaps such that Ih G Ih[n] iff |dom(/;i)| < n, where 
n e N. □ 

Given a heap It G Ih[n], we will use a vector c of n pairs of values, ((cip, 01^2), ■ ■ • 
(cn,i, c„_2)), to represent that heap. If = 0 , the i-th pair does not represent 
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an active heap cell, otherwise the cell is allocated at location and contains 
the value Ci_2- For example, /ft, [ 2 ] is a set of heaps which contains the heap of 
size one /ft = { (1, 2) }. Additionally, a vector allows the same location occurring 
more than once that should be avoid, e.g., (( 1 , 2 ), ( 1 , 2 )) or (( 1 , 2 ), ( 1 , 3 )) does 
not represent a valid (or well-formed) heap. In order to overcome this problem, 
the partial function vhn is employed, vhn : {Val x Val)^ Ih[n]- In particular, 

I Undef if : I < z,j < n,i j,Cip = Cjp,Cip 7^ 0 and Cj,i 0 , 

Vhn{c) = < 

I { (cip,Ci_2) I Qp yf 0 and 1 < * < n}, otherwise. 

Let C denote a vector of pairs of variables, and \C\ indicates the number of 
variable pairs in C. If a vector c with the same size is assigned to ( 7 , C will also 
potentially represent a heap. In the following, the assertions about heaps in SL 
can be encoded as state formulas in PPTL®'" in the following grammar 


— Cl — C2 I ' 4 ^s I 4 ^si V ((>S2 


Given a vector of values c = ((ci^i, C1.2), ■ • •, (cn,i,Cn,2)) and a vector of variables 
C = ((Gi^, Ci^2)) ■ • ■) (Cn,!, C'n,2))) we Write [C <^= c] to denote the pointwise 
assignment of values to the variables which is also considered as a set of pairs 
{ (Gi4,Ci^i), (Gi_2,Ci_2) I 1 < i < n}. The binary operation @ on vectors is in 
fact a formula defined in Definition It is adopted for capturing the meaning 
of separation conjunction #. 


Definition 2 (Vector Decomposition) For vectors of variables C, C and C 
such that \C\ = \C'\ = |G"|, we say C is decomposed as C and G", defined as 


C = G'@G" /\ 


/ (G',i=G.,iAG"i=0AG',2 

1^v(G',i=0AG"i=G.,iAG"2 


C^,2) 

C^,2) 


□ 

In the sequel, a set of pairs D = { (xi, j/i), (2:2,2/2), ■ • ■ } with ^(x, y), (x, z) € 
D and y ^ z is sometimes implicitly interpreted as a function. Conversely, a 
function / can be interpreted as a set of pairs { (x,/(x)) | x S dom{f) }. The 
standard notation Vig{ 1 n} used to represent ■ ■ - V (^s[n/i], and 

similarly for AiG{ 1 n}^s- As usual, the notation fv{(j)) denotes the set of free 

variables occurring in d>, which may be used to vectors, such as fv{C). 

Lemma 1. For any state formula (j), variable vector G and value vector c where 
|G| = |c| = n, (A,/ft) G {Is[fv{<p)]Jh[n]), u/i„(c) = h and /z;(((>) D fv{C) = 0 , 
there exists a t/fg such that 


(G,/ft)K. iff (/,U[G^C],0) K. 
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Proof. We use a function / to map a PPTL®'" state formula (p to a, state formula 
(ps which is heap-free and has been defined before. The recursive translation 
f{p,C) takes cp and C as two parameters and produces a state formula (ps- The 
variables in (p and C are always disjoint taking the form of two different syntactic 
categories. 


/(ei = 62,(7) 61 = 62 

def w =0^ 

/(eiM- 62 ,( 7 ) = Y I 

iG{ I, " .|C| } V A Ci i = 6i A (7i 2 =62 




def 


/( 0 lV<^ 2 ,C') = fiP 2 ,C) 


C 2 &VaP\c\ ciGVoAlc 


r-TA^ 72 [( 7 ‘l \ T -L ? / J V'T.i? ) 


f{ 3 x-.p,C)'^= V /(<^,C)[u/a:] 


v^Val 


where both C and ( 7 " are vectors with fresh variables, [v/x] denotes the sub¬ 
stitution of each occurrence of x by u, and similarly for [c/C] on vectors with 
pointwise substitution. One can draw the conclusion that f(p, C) preserves the 
satisfaction of (p (similar to the proof of Theorem 1 given in [ 21 ] ). Therefore, the 
conclusion holds. □ 


Example 1 Consider the state formula x i--)- 0 , we can transform it into a state 
formula ps by /. Suppose (7 = {{hi, hf), (/12, ^2))) the translation is 

/(x^0,C) 

= f{x i-A 0, {{hi,h[), (/i2, /12))) 

= f{{hi ^ 0 A /i2 = 0 A ft-i = X A /i) = 0) V {h2 7^ 0 A /ii = 0 A /12 = x A /12 = 0 )) 
= (hi 7^: 0 A /i2 = 0 A hi = X A /I'l = 0 ) V (h2 7^ 0 A hi = 0 A h2 = x A h^ = 0 ) 

The rewritten result of the formula (hi 7^ 0 A h2 = 0 A hi = x A h[ = 0 ) V (h2 7^ 
0 A hi = 0 A h2 = X Ah!^ = 0 ) with any C' is the same as that of x i--)- 0 with 
(7 since f is a surjective. Observe that the result might be changed when the 
size of C increases. However, this would not impact on the correctness of the 
translation, as only one heap cell is active. 

Example 2 Consider the separation conjunction formula x 1—>■ 0 #?/1—>■ 0 , we can 
transform it into a formula pg- Suppose C = ((hi, h)^), (h2, ^j). According to 
the translation, we should select two fresh vectors C and C" with same size of 
C, i.e., C = ((hg, h'3), (h4, h^)) and C" = ((hg, h'5), (hg, h^,)). 


Psi 

= {C = C'®C") 
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= ((/13 = A = 0 A /13 = h[) V (/13 = 0 A /15 = /ii A /ig = h[)) A 

((/14 = /i2 A = 0 A /14 = h'2) V (/14 = 0 AHq = h2 Ahg = h'2)) 

4^S2 

= /{x^ 0 ,C 0 

= /(x l-A 0, ((/l3, /ig), (/14, /I4))) 

= /((^3 ^0A/i4 = 0A/i3=xA/i3 = 0 )V (/14 ^ 0 A /i3 = 0 A /14 = X A ft.4 = 0 )) 
= (/ig y^ 0 A/i 4 = 0 A/i 3 =xA/i 3 = 0 )V (/14 0 A /13 = 0 A /14 = X A /i4 = 0 ) 

4^S3 

= /(y^o,^") 

= f{y ^ 0, {ih5,h'^), {he, h'e))) 

= /((^5 ^ 0 A he = 0 A he = y A h'e = 0 ) V {he ^ 0 A he = 0 A he = y A hg = 0 )) 

= {he ^ 0 A he = 0 A he = y A h'e = 0 ) V {he ^ 0 A he = 0 A he = y A h'e = 0 ) 

4^s 

= f{x 1 -A 0#y I-A 0,(7) 

= /(x 1-A 0#y I-A 0, ((/ii, /I'l), (/l2, ^2))) 

= V ( V (<^«1 /\<^^ 3 )[ci/C'])[c 2 /( 7 "] 

caGVaPICI ciGyai 2 |C| 


How to choose C Let us restrict our attention to C which should be chosen 
carefully. For example, if we assume C in Example with size one, i.e., C = 
{{hi,h[)). It is impossible to hnd a suitable model because the heap is expected 
to have exactly two cells for the formula x i-A 0 #y i-A 0 . But the size of \C\ 
equals to one. Hence the rewritten formula is equivalent to false. In a word, \C\ 
is important in the translation which should not be too small or it may result 
in Ending no satisfiable model for a given formula. In the following we provide a 
basic definition which is useful in choosing C. To take one example, the size of 
Cl I—> 62 is one because, in order to decide whether it or its negation is satisfiable, 
it is enough to consider heaps with at most one allocated location. Consequently, 
when translating ei i-A 62, the size of parameter C should be one or larger. 

Definition 3 (Size of State Formula) Given a state formula (j), its size \(j>\ is 
defined by 

|ei = 621=0 |eii-Ae 2 | = l |(;ii V (/) 2 | = TOax(|0i|, |(/) 2 |) 

h'/'l = 101 |01#02| = I0l| + I02| 

□ 

The quantifier does not appear in the above definition since it can be ex¬ 
panded into a disjunction formula. Roughly speaking, \C\ = \ 4 >\ + \fv{ 4 ))\ is just 
enough | 2 I] to bound the size of heaps that need to be considered. The previous 
lemma describes how the state formulas are encoded. We now in the position 
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to translate full FFTL®”" formulas. Before treating the translation, let us define 
restricted PPTL^^ (RFFTL®'" for short) formulas. 

Ps ::= ei = 62 I | V P,, | QPs \ (P,„ ..., P,„) prj P, | P; 

It is easy to find that (ps serves as state formulas in Pg . The translation F defined 
below helps us to take charge of mapping a FFTL®^ formula to a RFFTL®'" 
formula. Also, this function preserves the satisfaction of P where C is a vector 
of variables, and (p denotes ei = 62 , ei 1 —>■ 62 , <pi#<p 2 or 3a; : (p. 

F{p,C) ‘'Af /(^,C) P(-P,C) 'll' -P(P,C) 

P(PiVP 2 ,C') =' P(Pi,C)VP(P 2 ,C) F{OP,C) =' OF{P,C) 

P((Pi,...,P™)prjPo,C) =' (P(Pi,C),...,P(P™,C))prjP(Po,C)) 

F{P*,C) F{P,C)* 

Now, let us prove below a crucial result. Basically stating that translating P 
to Ps by the above encoding F also produces an equisatisfiable result for P. It 
will turn out to be useful later on. Note that there is only a single vector C when 
translating P, because different values can be assigned to C for the sake of rep¬ 
resenting heap evolutions in an interval. Given an interval ct, u[{Is, Ih)/{II, Ih)] 
is an interval obtained by replacing the i-th state {Pg,!^) with {Is,Ih)- 

Theorem 1. For any FFTL®'" formula P, intervals cr = (..., {Il,I{J ,...) and a', 
set of variable vectors (7^ = {..., C,...}, set of value vectors Ccr = {..., c^,... } 
where/u(P)n/u(C') = 0, |C<,| = jc„| = |cr|, cr' = cr[- • • , (/1U[C <;= q], 0)/(/*, J^), 
•• •], ICI = \ci\ = n, {Ps,lD G {Is[fv{P)],Ih[n]), and vK{ci) = for all i, 

(a,0,|a|)hP iff (a',0,|a'|) hP(P,(7) 

Proof. The proof is based on a structural induction over P. 

Case: P = ei = 62 , ei ;—>■ 62 , (pi#<p 2 or 3x : (p 

Suppose (cr, 0, |cr|) \= P. Since P is a state formula, then (/g,/®) Hsr -P- 
Since {1^1°) G (A[/u(P)],4[n]), vhn{co) = h and fv{P) n fv{C) = 0, by 
Lemma [y P is equisatisfiable to f{P,C), i.e., (1° U [C <J= co],0) |=s^ f{P,C). 
Hence, we have (cr',0, |cr'|) \= f{P,C). Furthermore, F{P,C) = f{P,C) accord¬ 
ing to the definition of F. Thus, (cr',0, |cr'|) \= F{P,C). 

<G=: Suppose (cr', 0, |cr'|) \= F{P, C). By the definition of P, we have P(P, C) = 
f{P,C). Moreover, since f{P,C) is a state formula, (1° U [C -4= co],0) |=s^ 
f{P,C). Since (/0,/0) G (/,[/u(P)],4[n]), vhM = h and /u(P)n/u(C) = 0, 
by Lemma 0 f{P,C) is equisatisfiable to P, i.e., {1^,1^) Hsi P- Therefore, 
(cr, 0 , |ct|) h P- 

Other cases are straightforward to be proved. □ 


Recall that the size of C corresponding to a heap size is required to be a 
bounded size when translating a state formula. But for a temporal formula P, 
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there may be more than one state formula need to be considered at the same 
time. The max size should be selected. Concretely, the size of the vector C for 
translating P will be 

\C\p = max{{ 101 + |/u(0)| I 0 occurs in P }) 

For instance, for the formula Qx = OVDa; i—)■ 0, there exist two state formulas 
a: I—>■ 0 and x = 0 in it. The size of C for translating P should be TOaa;({ 2,1}) = 2, 
which is the larger size for translating the two state formulas. 

Example 3 Given a PPTL®'" formula P = Q)x = 0 V Da: i—> 0, we can find a 
RPPTL®'" formula Pg which preserves the satisfaction of P under the conditions 
presented in Theorem[^ We choose the variable vector as C = ((hi, h^), (^ 2 , ^ 2 )). 

F{C)x = 0 V Dx 0, C) 

= FiOx = 0, C) V F{ax ^ 0, C) 

= OF{x = 0, C) V □E(x 0, C) 

= Ofix = 0, ((hi, h'l), (h 2 , h'))) V □/(x ^ 0, ((hi, h'l), (h 2 , h'))) 

= Qx = 0 V □ ((hi 0 A h 2 = 0 A hi = x A h[ = 0) 

V(h 2 7 ^ 0 A hi = 0 A h 2 = X A h 2 = 0)) 

In fact the above results enable us to only concentrate on RPPTL®'" instead of 
PPTL®'". RPPTL®"" does not contain heap formulas, so it gives a more compact 
view of PPTL®®. In the sequel, we will establish an isomorphism relationship 
between RPPTL®® and PPTL in a natural way so as to reuse the theory of 
PPTL. 

3.2 Isomorphism Relationship 

Let Lp^ denote the set of all RPPTL®® formulas and Lq the set of all PPTL 
formulas. The second key step in our theory is to introduce a one-to-one rela¬ 
tionship between Lp^ and Lq with respect to their syntax structures. 

Lemma 2. There exists a bijective relationship between atomic equation for¬ 
mulas of Pg and atomic propositions of Q. 

Proof. Let Var = { xq, xi, X2,... } be the countable infinite set of variables. 
Assume the countable infinite set of propositions is Prop = {po,ii ■ • ■ jPi.jj ■ ■ ■ i 
go 0 , ... ,qi' ji,... }, where 0 < / < n, 1 < j, 0 < j', 0 < f, and i < j. The function 
g is defined as 

g{i = Xj) = g{Xi = Xj) = Pij,i < J 

Obviously, g is a bijective. Hence the conclusion holds. □ 

It remains to establish structural isomorphism between RPPTL®® and PPTL. 
The next result gives another important step towards the development of our 
techniques. Before doing that, we define the formula isomorphism at the syntax 
structure level. 
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Definition 4 (Isomorphism) Given a RPPTL®'" formula Ps and a PPTL for¬ 
mula Q, Ps is said isomorphic to Q (written as Ps = Q) if and only if 

(1) Ps = ei = 62 , Q = q, g(ei = 62 ) = q {g is defined in Lemma[^, or 

(2) Ps = -^Psi, Q = ~^Ql, Psi = Ql, OT 

(3) Ps = Psi V <5 = <5i V Q 2 , Psi = Ql, Ps 2 = Q 2 , or 

(4) Ps = OPs„ Q = OQi, Ps, = Ql, or 

(5) Ps = {Ps,,- ■. ,Ps^)prj Pso, Q={Qi,-- ■,Qm)prj Qq, Ps, = Qi for all i, or 

(6) Ps = P:^,Q = QI,Ps,=Qi. □ 

Theorem [^explains that there actually exists a bijective relationship between 
Lp^ and Lq from the syntax equivalent point of view. It leads us to reuse the 
theory of PPTL for RPPTL®^, especially the logic laws, decision procedure and 
the related definitions. 

Theorem 2. For any RPPTL®'" formula Ps, there exists a PPTL formula Q 
such that Ps = Q, and vice versa. 

Proof. Given a formula Pg, a mapping G : Lp^ —> Lq is constructed as 

G(ei = 62) = g{ei = 62) G{^Ps) = ^G{Ps) 

GiOPs) = OGiPs) G{Ps, V Ps,) =' G{PsQ V G{Ps,) 

GiiPs, ,...,PsJ prj Ps,) = {G{Ps,),..., G{PsJ) prj G(P. J 
G{Pf) =^G{Ps)* 

As expected, a formula Q can be found such that Pg = Q hy Definition 
Given a formula Q, a mapping H : Lq —> Lp^ is constructed as 

H{q)'^='g-Hq) H{^Q)^^'^H{Q) 

H{OQ) = OH{Q) H{Q^ V Q 2 ) =' i?(Oi) V H{Q^) 
H{{Qi,...,Qm) prj Qo) {H{Qi),... ,H{Q„i)) prj H{Qo) 

H{Q*) = H{Q)* 

Hence a formula Pg can be found such that Q = Pghy Definition □ 

4 Decision Procedure for PPTL®'' 

In the previous section, we prove an isomorphic relationship between PPTL®'' 
and PPTL so as to reuse the theory of PPTL. We will sketch a decision procedure 
for the purpose of checking the satisfiability of LPTL®® formulas in this section. 
Due to space constraints, we do not present complete definitions and algorithms 
in the rest part of this section, they can be found in the papers [22l23j with 
slight changes. 
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The decision procedure for checking the satishability of PPTL formulas relies 
heavily on a specific formula form called Normal Form. Informally, the normal 
form of a formula divides the formula into two rather intuitive parts: the present 
component and the future component, the former means the current interval end¬ 
ing point has been reached while the latter has the opposite meaning. Similarly, 
we can define normal form for RPPTL®'" formulas since RPPTL®'" is isomorphic 
to PPTL. 

n' n 

Ps^\/{Pe,Ae)v\/{P,^AOP[) 

j=i i=i 

where Pe, and Pc- are conjunctions composed of atomic equation formulas or 
their negations, and P/ is a general RPPTL®^ formula. 

Using a very similar proof of Duan et al. one can derive that any 

RLPTL®"" formula is able to be written to its normal form since the logic laws 
can be inherited from PPTL. 

We now give Algorithm [l] for transforming a PPTL®^ formula to a normal 
form of its equisatisfiable RPPTL®'" formula. The most important difference 
from the algorithm of Duan et al. lies in treating state formulas by using the 
translation formalized in the previous section. Other treatment on temporal 
connectives remain the same. In particular, the sub-algorithm CONF is used 
to transform a normal form into its complete normal form, while algorithm 
NEG is used to negate a complete normal form obtained from algorithm CONF. 
Algorithms PRJ and CHOP, respectively, are used to transform the formulas 
in projection and chop constructs to their normal forms. These algorithms are 
analogous to those given in [52] and [53]. Algorithm DNF equivalently rewrites 
a formula to its disjunction normal form. 


Algorithm 1 Algorithm for translating a PPTL®^ formula to a normal form of its 
equisatisfiable RPPTL®'" formula 
Function NF(P(P,C)) 

1 : begin function 
2 : case 

3: P is ei = 62 or ei 62 or (t>i#(l >2 or 3x : (f>-. return DNF(P(P, C)) A e V 

DNF(P(P,C)) AOirue; 

4: P is Pi V P 2 : return NF(P(Pi,C')) V NF(P(P 2 , C)); 

5: P is -iPi: return NEG(CONF(NF(P(Pi, C)))); 

6 : P is OPi- return P(P, C); 

7: P is Pi; P 2 : return CHOP(P(P,C')); 

8 : P is (Pi,..., Pm) prj Pq: return PRJ(P(P, C)); 

9: P is Pi*: return £V CHOP(P(Pi,C);P(Pi,C)*); 

10 : end case 

11 : end function 


Analogous to PPTL, RPPTL®^ has its normal form which is useful for con¬ 
structing a graph structure that explicitly characterizes the models of the cor- 
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responding formula. The graph structure, called Normal Form Graph (NFG), is 
constructed according to the normal form. For a RPPTL®'" formula Pg , the NFG 
of Pg is a directed graph, G = {CL{Pg), EL{Pg)), where CL{Pg) denotes the set 
of nodes and EL[Pg) denotes the set of edges in the graph. In CL{Pg), each node 
is specified by a formula in PPTL®'", while in EL{Pg), each edge is a directed 
arc labeled with a state formula Pe from node Pg to node P^ and identified by a 
triple, {Pg, Pe, P's). In short, the NFG of Pg can be built by a recursive approach. 

As an example, consider the PPTL®^ formula P = Qx = 0 V Da; i—>■ 0. We 
hrst translate P to its equisatisfable formula P{P,C) with F and C, then the 
NFG of F{P, C) can be constructed as shown in Figj^ The edges are labeled in 
red and the nodes in black. 


PPTLsl formula : Ox=0 v nxi^O 


rPPTLSl formula : OF(x=0,C) v □F{Xh^0,C) 



The edges labeled by state formulas which is unsatisfiable should be removed 
from an NFG. A finite path from the root node to the e node in the NFG of 
the formula corresponds to a finite model of the formula while an infinite path 
emanating from the root corresponds to an infinite model of the formula. There 
exists several finite or infinite path in Fig[^ For instance, C)F{x = 0,(7) V 
nF{x 0, (7), DNF(F'(a: 0,(7)),e is a finite path, and C)F{x = 0, (7) V 

□F(a: !-)■ 0, (7), true, F{x = 0, C), DNF(F(x = 0, C)),true, ... is an inhnite path. 
Therefore, the formula is satisfiable. Based on NFG, a decision procedure for 
checking satisfiability of PPTL®'" formulas can be obtained similar to the one 
presented in |22l2d| for PPTL formulas. 
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5 Conclusion 

This paper integrates a decidable fragment of Separation Logic (SL) with Propo¬ 
sitional Projection Temporal Logic (PPTL) to obtain a two-dimensional (spatial 
and temporal) logic PPTL®'". The state formulas of PPTL®'" are SL assertions, 
on top of which are the outer temporal connectives taken from PPTL. It is ob¬ 
vious to see that the two-dimensional logic marries the advantages of both, and 
it has the ability to relate consecutive configurations of the heap. In a word, it 
enables us to verify temporal properties of heaps. 

Furthermore, in a general sense, another important contribution is that we 
also prove an isomorphism relationship between PPTL and LPTL®"" formulas. 
This leads us to reuse PPTL theory to solve the satisfiability problem of PPTL®'". 
In the future, a model checking approach by using PPTL®'" as the specihcation 
language will be studied. We will possibly explore the unified model checking 
approach [21] with PPTL®'" as the specification language soon. The program is 
modeled by MSVL (Modeling Simulation and Verification Language) |25| which 
is an executable logic programming language. In addition, to examine the entire 
approach, several big case studies will also be carried out. 
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